The Botnets That Won't Die

The Botnets That Won't Die

Last week the FBI took down the Coreflood botnet—a major network of zombie computers that had been used to steal personal information worth hundreds of thousands of dollars. But the bust relied on an important weakness of conventional botnets—that they are controlled by a few central computers. Take down those central machines and you’ll disable the whole network of as many as hundreds of thousands of compromised PCs. Researchers warn that this weakness does not exist in botnets that use peer-to-peer communications protocols, whereby messages are passed from machine to machine instead of coming from a central command.

Peer-to-peer botnets could become more common if coordinated attacks on conventional botnets continue. “When they feel that centralized botnets have more of a tendency to be shut down by the authorities, then they will turn to peer-to-peer botnets,” says Cliff Zou, a network security researcher at the University of Central Florida.

A botnet is a network of computers that, unknown to their owners, have been compromised by viruses or worms and can be controlled remotely. Spammers and criminal organizations use them to troll for credit card and bank account information.

Some botnets already implemented have used peer-to-peer communications. Computers in such a network keep a list of peers—other computers in the network—and pass information on to them. When the controller wants to issue a command to the botnet, he inserts it into one or more of the peers, and it gradually spreads throughout the network.

But this design is complicated to implement, and authorities have been able to infiltrate these networks and spread phony commands, files, and peer information, intercepting and disrupting communications.

Stephan Eidenbenz of Los Alamos National Laboratory and colleagues designed and simulated a botnet that could prove much more resilient. They describe it in an upcoming paper in Computer Networks.

Their hypothetical botnet would randomly configure itself into a hierarchy, with peers accepting commands only from computers higher up in the hierarchy. Any computer taken over by an outsider would thus be less likely to be able to disrupt the network. The botnet would reconfigure its hierarchy every day, so outsiders would have scant time to track down the highest-level computers that could do the most damage.

The technique, together with strong encryption, would make such botnets hard to analyze and attack. “We believe it could be quite effective,” Eidenbenz warns.

Zou expects that stronger peer-to-peer botnets are only a matter of time. Once someone writes ways to strengthen a botnet’s security into easy-to-implement code, he says, this type of botnet will quickly spread.

But Brett Stone-Gross, a computer security researcher at UC Santa Barbara, thinks that even with improvements, peer-to-peer botnets will remain too complicated and vulnerable to being taken over. Besides, he says, conventional botnets remain very hard to battle. “[Conventional] botnets are still the most effective,” he says. “They’re easy to set up. It really comes down to simplicity vs. complexity. Even if you take down a web server, they’ll pop back up somewhere else. You’ll see it with Coreflood. It will be back online in a couple of weeks.”